Microsoft FUDwatch II: Internet Explorer vs. Firefox security

Microsoft is at it again. Or, rather, Jeff Jones is. Jones is Microsoft's security strategy direction and is the one who periodically remixes history and data to declare that Windows is more secure than Linux. Now he's declaring [PDF] that Internet Explorer is much safer than Firefox.

However, as ZDNet's Ryan Naraine writes, Jones may be mis-analyzing the data:

...[T]here's one key thing missing from Jones's analysis - the auto-patching mechanism built into Firefox that gives Mozilla a clear advantage over Microsoft.

In effect, Firefox patches itself whenever Mozilla ships updates while immediate Internet Explorer updates depend entirely on the end-user using the Windows AU mechanism. Don't even get me started on the forgotten world of dial-up Windows users who never, ever apply patches.

That's one of the main reasons malware authors take aim at IE more than any other desktop application.

This is an aspect of security that one wouldn't necessarily want to rely on, and yet it has deep importance. The Honeynet Project analyzed inherent vulnerabilities in Firefox and IE and found that Firefox had more, but that IE still experiences more security breakdowns. In fact, when the Project surfed to 30,000 known exploit servers, IE crumpled while Firefox didn't have a single security breakdown. Why?

We can only speculate why Firefox wasn't targeted. We suspect that attacking Firefox is a more difficult task as it uses an automated and "immediate" update mechanism. Since Firefox is a standalone application that is not as integrated with the operating system as Internet Explorer, we suspect that users are more likely to have this update mechanism turned on. Firefox is truly a moving target. The success of an attack on a user of Internet Explorer 6 SP2 is likely to be higher than on a Firefox user, and therefore attackers target Internet Explorer 6 SP2.

In other words, if you're a malware creator, you want to go where you can have the most impact. It's far easier to go after a single point of failure (Microsoft) than to have to figure out a successful Firefox exploit.

Is Firefox more secure than IE on a technology level? I don't know. I do know that I prefer the transparency of the Mozilla Foundation to the secrecy of Microsoft (or any proprietary software company). That transparency makes a material difference in the security process standing behind the browser.

It's a convenient fiction that buying everything from one vendor makes life easier. It may make installation and integration between programs easier, but that ease leads to single points of failure. Hijacking a browser is nice, but using the browser to dig deep into the OS, to have that hijacking facilitated by a too-close tie between the browser and the OS? Even better.

We're better off with open security processes and real competition in the browser market. No code is perfect, whether written by Microsoft or Mozilla. Perfection comes in the response to a problem, once we've done all we can to avert it in the first place. This is why Mozilla's Firefox makes the most sense for me. It's also why I won't be looking for a Mozilla OS anytime soon. I don't need a one-stop shop.